Attorneys beware: The danger of storing information in the cloud

In recent years, storing information in the cloud has certainly been a hot topic among law firms all over the world. The thought of adapting to this new storage option has sparked controversy about the pros and cons of the cloud. It can definitely be a dangerous road for attorneys to travel if they are not careful.

“Clouds,” as they are often called, are large “server farms” where high-powered computers are kept in a large warehouse. Cloud providers are typically third parties that serve clients from a variety of professions, ranging from manufacturers to retail stores, to service-based businesses (such as lawyers), to entertainment companies and more.

At times you may not know where your data is actually housed, since data is moved from location to location based on the administration decisions made by the provider. Therefore, legal professionals should take into account their unique confidentiality and privilege requirements when entrusting the cloud with corporate or legal department data.

Benefits

Most corporations are already using a cloud-based service whether they are storing data offsite or using software programs that reside on the cloud. The most basic benefit of cloud computing is the ability to pool a large number of computing resources without having to build, maintain and store all the necessary equipment and programs. For some companies, it may be less complicated and less costly to pay a monthly fee to run their programs and store their data, rather than diverting in-house IT staff to install, update and maintain software.

Challenges for legal data

Privacy and security concerns are paramount for legal professionals when using the cloud. It is difficult to ensure the confidentiality of client data since the computers containing that information may be in an unknown location outside the jurisdiction where a law firm practices, perhaps even outside the U.S. Additionally, the site may be administered by non-legal staff with access to the firm’s data. This raises the possibility of a breach of ethical duty to keep a client’s information confidential.

File-sharing applications are examples of easy-to-use tools that, at face value, appear to solve some major logistical problems. Many attorneys share documents with their co-counsel or clients on file-sharing sites that are not designed with the privacy and security concerns of the legal world in mind. The same is true when emailing confidential information to webmail accounts such as Gmail or Hotmail; the user agreements for these sites typically divest users of any right to privacy. With forwarding capabilities and email aliasing, you may not even know that you are transmitting information to a major webmail provider—but you are.

Jurisdiction location can also become a major issue since many cloud computing facilities may not be located geographically close to the actual users of the data. Computers holding key data may not even be located within the borders of the U.S. and would therefore not be subject to the same privacy and privilege rules as American-based machines are.

Considerations for corporate counsel

This is a particularly tricky issue for large corporations that may have offices and data that already reside outside the U.S. Corporations also must be careful of potential data security violations and privacy rules in foreign countries, some of which may be criminal offenses abroad. Inside counsel may not have as much control over their corporation’s cloud use; however, they can still take steps to ensure that legal data and critical corporate documents are being safeguarded.

In order to determine whether the cloud is an appropriate place for firm or client data, attorneys must evaluate their particular risks. A company on continuous litigation holds may not want to release control over their information by storing it offsite. Alternatively, a company with a large number of regional offices and geographically dispersed litigation teams may find that the cloud provides an excellent solution to collaborative document review and case strategy.

When choosing a vendor, companies and their counsel should research the following and determine how closely a vendor aligns with their most common needs:

Data retention and archiving

Data discoverability by a third party (with or without consent)

Ability for cloud company’s staff to sign an affidavit

Privacy and security policies for employees

Experience and familiarity with legal holds, including the ability to enact a selective litigation hold

Ability to obtain documents from the cloud in a timely fashion

If deletion can be certified (typically required in protective orders)

Forensic collection procedures (and whether you can specify a vendor to come into their facilities and collect)

It is inevitable that more applications will be served and more data will be stored in cloud farms in the near future—the amount of information in the modern digital world combined with the processing and storage requirements of businesses demand it.

Given the discussions currently revolving around cloud computing and internet privacy, governments are likely to develop a set of standards for the industry sooner rather than later.

Legal professionals and corporate counsel have special considerations when using the cloud. This is particularly true since cloud computing is an excellent example of where a litigation risk may outweigh an IT or security gain. Counterintuitive as it may seem, corporate counsel should be at the table when deciding about cloud storage for critical company documents, especially if the company is frequently susceptible to lawsuits. Although the move towards cloud computing may be inevitable, using those resources means extra planning and consideration when it comes to litigation.